Event banner
Event details
14 Comments
Thank you for joining us this week for the Windows Server Summit! Q&A is now closed, but all sessions are available on demand so you can watch and learn when it is convenient for you. We hope you enjoyed the event.
- Thanks for sharing!
- Can storage replica feature be available for replicating data across different sites in various geographical locations?
- Yes, typically when you have enabled asynchronous replication. It will come down to your network pipe being wide enough for your IO to answer this in a specific use case (which is where compression can help a great deal). It also supports encryption on the wire if that network is MPLS or something else untrustworthy when compared to say, dark fiber.
- Thank you Ned and Danny for Sharing this with the community 🙂
- Hey! Hello! You are everywhere! Happy to see you again.
- You guys need to make a bigger deal about that deprecation of WinRM w/ no further development! That's huge that SSH will be the way to go for us hybrid Windows/Linux admins - good to see honestly.
- Danny Maertens
Microsoft
Deprecation is not the same as no longer receiving updates. There are no plans to remove WinRM capabilities from Windows Server, and it will continue to receive security updates. But, new features are all being developed for SSH and PowerShell remoting over SSH. Glad to see your excitement for SSH in Windows! We think this transition will lead to more secure connections and robust experience for Windows Server admins and make heterogeneous environment management much easier.
- For RDP access over SSH, do you have a way to make Kerberos work? The SSH tunnel won't provide a KDC line-of-sight, and pointing mstsc.exe to a localhost port means you can't use the FQDN for the destination host, which will also break Kerberos and cause an NTLM fallback.
- Danny MaertensWe currently don't have a way to make kerberos work with RDP. Feel free to open an issue on our GitHub repo for a feature request so that we can track and prioritize this. https://github.com/powershell/win32-openssh
- it's not actually a Win32-OpenSSH feature request, but a minor fix in mstsc.exe that I've been trying to get the RDP team to do for several years. Putting aside the need for KDC proxying if the new IAKerb feature is available to provide the KDC line-of-sight, any kind of TCP tunnel like SSH tunneling will break Kerberos because of the usage of "localhost" instead of the proper target FQDN. There's an internal option to explicitly provide a destination server name different from the connection hostname (your localhost SSH tunnel), but it is currently only used for RD Gateway connections. I have exposed the required "UserSpecifiedServerName" option through API hooking in MsRdpEx: https://github.com/Devolutions/MsRdpEx TL;DR: I know exactly how to make this work, it's actually really simple and I'd be happy to help you do it. There's a minor fix Microsoft could do in mstsc, but since I've been unable to get any movement on that front for years, we're using API hooking to expose what's needed to make Kerberos work for our customers through a solution similar to SSH tunneling. In our case, we don't use IAKerb but a KDC proxy which we also inject dynamically into mstsc using our API hooking, as there are a couple of other limitations that would be trivial to fix in the source we needed to work around.
- Can you open a true PowerShell Remoting over SSH connection instead of simply executing PowerShell through regular SSH?
- Danny MaertensYes! Here is the docs page for PowerShell remoting over SSH: https://learn.microsoft.com/powershell/scripting/learn/remoting/ssh-remoting-in-powershell?view=powershell-7.4
Welcome! Demo bytes: SSH for Azure Arc | Storage Replica is starting now. If you have any questions or feedback for our product teams, please post them here in the Comments.
